From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 30 Jul 2021 13:58:41 +0000 (-0400)
Subject: document proxy_protocol
X-Git-Tag: release_3_0_24~78
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54c5ec1da6396bad2ab482fbdb33ac6ebf86feaa;p=thirdparty%2Ffreeradius-server.git

document proxy_protocol
---

diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index c4ef84a6e9e..d52c785acf7 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -64,6 +64,29 @@ listen {
 
 	clients = radsec
 
+	#
+	#  Use the haproxy "PROXY protocol".
+	#
+	#  This configuration allows for many FreeRADIUS servers to be
+	#  behind a haproxy server.  The "PROXY protocol" allows
+	#  haproxy to send the actual client IP to FreeRADIUS.
+	#
+	#  This will work ONLY for RadSec (TLS).  Both the haproxy AND
+	#  the RadSec client MUST be listed as allowed RADIUS clients.
+	#
+	#  haproxy needs to have "send-proxy" configured for this server.
+	#  Health checks should be turned off, as haproxy does not
+	#  support RADIUS health checks.
+	#
+	#  The main use of this feature is for scalability.  There is no
+	#  longer any need to have a RADIUS proxy as a load balancer.
+	#  haproxy is fast, stable, and supports dynamic reloads!
+	#
+	#  The only problem is that many RADIUS clients do not support
+	#  RadSec.  That situation will hopefully change over time.
+	#
+#	proxy_protocol = no
+
 	#
 	#  When this is set to "yes", new TLS connections
 	#  are processed through a section called